elastic
diff --git a/‎src/platform/packages/shared/kbn-cps-utils/components/project_picker.test.tsx‎
Lines changed: 1 addition & 1 deletion b/‎src/platform/packages/shared/kbn-cps-utils/components/project_picker.test.tsx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/platform/packages/shared/kbn-cps-utils/constants.ts‎
Lines changed: 1 addition & 1 deletion b/‎src/platform/packages/shared/kbn-cps-utils/constants.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/platform/packages/shared/kbn-cps-utils/types.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/platform/packages/shared/kbn-cps-utils/types.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/platform/packages/shared/kbn-lens-common-2/index.ts‎
Lines changed: 3 additions & 0 deletions b/‎src/platform/packages/shared/kbn-lens-common-2/index.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/platform/packages/shared/kbn-lens-common/embeddable/types.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/platform/packages/shared/kbn-lens-common/embeddable/types.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/platform/plugins/private/vis_types/vega/public/data_model/search_api.test.ts‎
Lines changed: 0 additions & 4 deletions b/‎src/platform/plugins/private/vis_types/vega/public/data_model/search_api.test.ts‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎src/platform/plugins/shared/cps/public/services/access_control.test.ts‎
Lines changed: 14 additions & 70 deletions b/‎src/platform/plugins/shared/cps/public/services/access_control.test.ts‎
Lines changed: 14 additions & 70 deletions
diff --git a/‎src/platform/plugins/shared/cps/public/services/access_control.ts‎
Lines changed: 3 additions & 16 deletions b/‎src/platform/plugins/shared/cps/public/services/access_control.ts‎
Lines changed: 3 additions & 16 deletions
diff --git a/‎src/platform/plugins/shared/cps/public/services/cps_manager.ts‎
Lines changed: 33 additions & 25 deletions b/‎src/platform/plugins/shared/cps/public/services/cps_manager.ts‎
Lines changed: 33 additions & 25 deletions
@@ -103,7 +103,7 @@ describe('ProjectPicker', () => {
   });
 
   describe('projectRouting change events', () => {
-    it('should call onProjectRoutingChange with ALL when "All projects" is clicked', async () => {
+    it('should call onProjectRoutingChange with PROJECT_ROUTING.ALL when "All projects" is clicked', async () => {
       const onProjectRoutingChange = jest.fn();
       await renderProjectPicker({
         projectRouting: PROJECT_ROUTING.ORIGIN,
 
@@ -13,7 +13,7 @@
  */
 export const PROJECT_ROUTING = {
   /** Search across all linked projects */
-  ALL: 'ALL',
+  ALL: '_alias:*',
   /** Search only the origin project */
   ORIGIN: '_alias:_origin',
 } as const;
 
@@ -50,4 +50,5 @@ export interface ICPSManager {
   getProjectRouting(): ProjectRouting | undefined;
   getDefaultProjectRouting(): ProjectRouting;
   getProjectPickerAccess$(): Observable<ProjectRoutingAccess>;
+  getProjectPickerAccess(): ProjectRoutingAccess;
 }
@@ -22,6 +22,7 @@ import type {
   PublishesViewMode,
   PublishesWritableDescription,
   PublishesWritableTitle,
+  PublishesUnsavedChanges,
 } from '@kbn/presentation-publishing';
 import type { LensApiSchemaType } from '@kbn/lens-embeddable-utils';
 import type { Simplify } from '@kbn/chart-expressions-common';
@@ -95,6 +96,8 @@ export type LensApi = Simplify<
     PublishesViewMode &
     // Let the container know the saved object id
     PublishesSavedObjectId &
+    // Let the container know about unsaved changes
+    PublishesUnsavedChanges &
     PublishesProjectRoutingOverrides &
     // Lens specific API methods:
     // Let the container know when the data has been loaded/updated
 
@@ -394,6 +394,8 @@ export type LensInternalApi = Simplify<
       updateBlockingError: (newBlockingError: Error | undefined) => void;
       resetAllMessages: () => void;
       getDisplayOptions: () => VisualizationDisplayOptions;
+      updateEditingState: (inProgress: boolean) => void;
+      isEditingInProgress: () => boolean;
     }
 >;
 
 
@@ -138,8 +138,4 @@ describe('SearchAPI projectRouting', () => {
   test('should not include project_routing in ES params when projectRouting is undefined', (done) => {
     testProjectRouting(undefined, undefined, done);
   });
-
-  test('should sanitize ALL projectRouting value', (done) => {
-    testProjectRouting('ALL', undefined, done);
-  });
 });
@@ -8,11 +8,7 @@
  */
 
 import { ProjectRoutingAccess } from '@kbn/cps-utils';
-import {
-  getProjectRoutingAccess,
-  DEFAULT_ACCESS_CONTROL_CONFIG,
-  type AccessControlConfig,
-} from './access_control';
+import { ACCESS_CONTROL_CONFIG, getProjectRoutingAccess } from './access_control';
 
 describe('Access Control Configuration', () => {
   describe('getProjectRoutingAccess', () => {
@@ -65,85 +61,33 @@ describe('Access Control Configuration', () => {
       });
     });
 
-    describe('with custom configuration', () => {
-      const customConfig: AccessControlConfig = {
-        myApp: {
-          defaultAccess: ProjectRoutingAccess.EDITABLE,
-        },
-        customApp: {
-          defaultAccess: ProjectRoutingAccess.DISABLED,
-          routeRules: [
-            {
-              pattern: /^#\/special/,
-              access: ProjectRoutingAccess.EDITABLE,
-            },
-          ],
-        },
-      };
-
-      it('should use custom app configuration', () => {
-        expect(getProjectRoutingAccess('myApp', '#/anything', customConfig)).toBe(
-          ProjectRoutingAccess.EDITABLE
-        );
-      });
-
-      it('should match route rules before defaultAccess', () => {
-        expect(getProjectRoutingAccess('customApp', '#/special/page', customConfig)).toBe(
+    describe('route rule priority', () => {
+      it('should check rules in order and match pattern before defaulting', () => {
+        // Rule matches: type:vega pattern -> EDITABLE (overrides DISABLED default)
+        expect(getProjectRoutingAccess('visualize', '#/edit/123?type:vega')).toBe(
           ProjectRoutingAccess.EDITABLE
         );
-        expect(getProjectRoutingAccess('customApp', '#/normal/page', customConfig)).toBe(
+        // No rule match: falls back to defaultAccess -> DISABLED
+        expect(getProjectRoutingAccess('visualize', '#/edit/456?type:lens')).toBe(
           ProjectRoutingAccess.DISABLED
         );
-      });
-
-      it('should return DISABLED for unconfigured apps', () => {
-        expect(getProjectRoutingAccess('unknownApp', '#/', customConfig)).toBe(
-          ProjectRoutingAccess.DISABLED
-        );
-      });
-    });
-
-    describe('route rule priority', () => {
-      const config: AccessControlConfig = {
-        testApp: {
-          defaultAccess: ProjectRoutingAccess.DISABLED,
-          routeRules: [
-            {
-              pattern: /^#\/admin/,
-              access: ProjectRoutingAccess.READONLY,
-            },
-            {
-              pattern: /^#\/edit/,
-              access: ProjectRoutingAccess.EDITABLE,
-            },
-          ],
-        },
-      };
-
-      it('should check rules in order', () => {
-        expect(getProjectRoutingAccess('testApp', '#/admin/settings', config)).toBe(
-          ProjectRoutingAccess.READONLY
-        );
-        expect(getProjectRoutingAccess('testApp', '#/edit/document', config)).toBe(
-          ProjectRoutingAccess.EDITABLE
-        );
-        expect(getProjectRoutingAccess('testApp', '#/view/document', config)).toBe(
+        expect(getProjectRoutingAccess('visualize', '#/create')).toBe(
           ProjectRoutingAccess.DISABLED
         );
       });
     });
   });
 
-  describe('DEFAULT_ACCESS_CONTROL_CONFIG', () => {
+  describe('ACCESS_CONTROL_CONFIG', () => {
     it('should have configuration for expected apps', () => {
-      expect(DEFAULT_ACCESS_CONTROL_CONFIG).toHaveProperty('dashboards');
-      expect(DEFAULT_ACCESS_CONTROL_CONFIG).toHaveProperty('discover');
-      expect(DEFAULT_ACCESS_CONTROL_CONFIG).toHaveProperty('visualize');
-      expect(DEFAULT_ACCESS_CONTROL_CONFIG).toHaveProperty('lens');
+      expect(ACCESS_CONTROL_CONFIG).toHaveProperty('dashboards');
+      expect(ACCESS_CONTROL_CONFIG).toHaveProperty('discover');
+      expect(ACCESS_CONTROL_CONFIG).toHaveProperty('visualize');
+      expect(ACCESS_CONTROL_CONFIG).toHaveProperty('lens');
     });
 
     it('should have route rules for dashboards', () => {
-      expect(DEFAULT_ACCESS_CONTROL_CONFIG.dashboards.routeRules).toHaveLength(1);
+      expect(ACCESS_CONTROL_CONFIG.dashboards.routeRules).toHaveLength(1);
     });
   });
 });
@@ -45,20 +45,8 @@ export type AccessControlConfig = Record<string, AppAccessConfig>;
  * - READONLY: View-only mode - shows current scope but prevents changes
  * - DISABLED: Picker is completely disabled
  *
- * Default Configuration:
- *
- * | App        | Route                  | Access Level | Notes                              |
- * |------------|------------------------|--------------|-------------------------------------|
- * | dashboards | all routes except list | EDITABLE     | All dashboard pages except listing  |
- * | dashboards | #/list                 | DISABLED     | List page only                     |
- * | discover   | all routes             | EDITABLE     | All discover pages                 |
- * | visualize  | type:vega in route     | EDITABLE     | Vega visualizations only           |
- * | visualize  | other routes           | DISABLED     | Other visualization types          |
- * | lens       | all routes             | EDITABLE     | All lens pages       |
- * | maps       | all routes             | EDITABLE     | All maps pages
- * | all others | all routes             | DISABLED     | Default behavior for unknown apps  |
  */
-export const DEFAULT_ACCESS_CONTROL_CONFIG: AccessControlConfig = {
+export const ACCESS_CONTROL_CONFIG: AccessControlConfig = {
   dashboards: {
     defaultAccess: ProjectRoutingAccess.EDITABLE,
     routeRules: [
@@ -93,10 +81,9 @@ export const DEFAULT_ACCESS_CONTROL_CONFIG: AccessControlConfig = {
  */
 export const getProjectRoutingAccess = (
   currentAppId: string,
-  hash: string,
-  config: AccessControlConfig = DEFAULT_ACCESS_CONTROL_CONFIG
+  hash: string
 ): ProjectRoutingAccess => {
-  const appConfig = config[currentAppId];
+  const appConfig = ACCESS_CONTROL_CONFIG[currentAppId];
   if (!appConfig) {
     return ProjectRoutingAccess.DISABLED;
   }
 
@@ -10,8 +10,13 @@
 import type { ApplicationStart, HttpSetup } from '@kbn/core/public';
 import type { Logger } from '@kbn/logging';
 import type { ProjectRouting } from '@kbn/es-query';
-import { BehaviorSubject, combineLatest, switchMap, tap } from 'rxjs';
-import { type ICPSManager, type ProjectsData, PROJECT_ROUTING } from '@kbn/cps-utils';
+import { BehaviorSubject, combineLatest, switchMap } from 'rxjs';
+import {
+  type ICPSManager,
+  type ProjectsData,
+  PROJECT_ROUTING,
+  ProjectRoutingAccess,
+} from '@kbn/cps-utils';
 import type { ProjectFetcher } from './project_fetcher';
 
 /**
@@ -35,34 +40,31 @@ export class CPSManager implements ICPSManager {
   private readonly projectRouting$ = new BehaviorSubject<ProjectRouting | undefined>(
     DEFAULT_PROJECT_ROUTING
   );
-  private readonly projectPickerAccess$;
-  private readonly projectPickerAccessValue$ = new BehaviorSubject<string>('editable');
+  private readonly projectPickerAccess$ = new BehaviorSubject<ProjectRoutingAccess>(
+    ProjectRoutingAccess.EDITABLE
+  );
 
   constructor(deps: { http: HttpSetup; logger: Logger; application: ApplicationStart }) {
     this.http = deps.http;
     this.logger = deps.logger.get('cps_manager');
     this.application = deps.application;
 
-    this.projectPickerAccess$ = combineLatest([
-      this.application.currentAppId$,
-      this.application.currentLocation$,
-    ]).pipe(
-      switchMap(async ([appId, location]) => {
-        // Lazy load access control only when observable is subscribed
-        const { getProjectRoutingAccess } = await import('./async_services');
-        return getProjectRoutingAccess(appId ?? '', location ?? '');
-      }),
-      tap((access) => {
-        this.projectPickerAccessValue$.next(access);
+    combineLatest([this.application.currentAppId$, this.application.currentLocation$])
+      .pipe(
+        switchMap(async ([appId, location]) => {
+          return (await import('./async_services')).getProjectRoutingAccess(
+            appId ?? '',
+            location ?? ''
+          );
+        })
+      )
+      .subscribe((access) => {
+        this.projectPickerAccess$.next(access);
         // Reset project routing to default when access is disabled
-        if (access === 'disabled') {
+        if (access === ProjectRoutingAccess.DISABLED) {
           this.projectRouting$.next(DEFAULT_PROJECT_ROUTING);
         }
-      })
-    );
-
-    // Subscribe to keep the value updated
-    this.projectPickerAccess$.subscribe();
+      });
   }
 
   /**
@@ -75,22 +77,22 @@ export class CPSManager implements ICPSManager {
   /**
    * Set the current project routing
    */
-  public setProjectRouting(projectRouting: ProjectRouting | undefined) {
+  public setProjectRouting(projectRouting: ProjectRouting) {
     this.projectRouting$.next(projectRouting);
   }
 
   /**
    * Get the current project routing value
    */
   public getProjectRouting() {
-    if (this.projectPickerAccessValue$.value === 'disabled') {
+    if (this.projectPickerAccess$.value === ProjectRoutingAccess.DISABLED) {
       return undefined;
     }
     return this.projectRouting$.value;
   }
 
   /**
-   * Get the default project routing value.
+   * Get the default project routing value from a global space setting.
    * This is the fallback value used when no app-specific or saved value exists.
    */
   public getDefaultProjectRouting(): ProjectRouting {
@@ -101,12 +103,18 @@ export class CPSManager implements ICPSManager {
    * Get the project picker access level as an observable.
    * This combines the current app ID and location to determine whether
    * the project picker should be editable, readonly, or disabled.
-   * Also returns the custom readonly message if applicable.
    */
   public getProjectPickerAccess$() {
     return this.projectPickerAccess$;
   }
 
+  /**
+   * Get the current project picker access value
+   */
+  public getProjectPickerAccess() {
+    return this.projectPickerAccess$.value;
+  }
+
   /**
    * Fetches projects from the server with caching and retry logic.
    * Returns cached data if already loaded. If a fetch is already in progress, returns the existing promise.
Original file line number	Diff line number	Diff line change
`@@ -50,4 +50,5 @@ export interface ICPSManager {`
`50`	`50`	`getProjectRouting(): ProjectRouting \| undefined;`
`51`	`51`	`getDefaultProjectRouting(): ProjectRouting;`
`52`	`52`	`getProjectPickerAccess$(): Observable<ProjectRoutingAccess>;`
	`53`	`+ getProjectPickerAccess(): ProjectRoutingAccess;`
`53`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -394,6 +394,8 @@ export type LensInternalApi = Simplify<`
`394`	`394`	`updateBlockingError: (newBlockingError: Error \| undefined) => void;`
`395`	`395`	`resetAllMessages: () => void;`
`396`	`396`	`getDisplayOptions: () => VisualizationDisplayOptions;`
	`397`	`+ updateEditingState: (inProgress: boolean) => void;`
	`398`	`+ isEditingInProgress: () => boolean;`
`397`	`399`	`}`
`398`	`400`	`>;`
`399`	`401`